Subject: Re: How to get better security people
On Mar 29, 2:22pm, Sean Donelan wrote: * *On Tue, 26 Mar 2002, Kelly J. Cooper wrote: *> I also had a short list of other questions that I used to try and get *> a feel for the person's "security minded-ness" (my term, I invented it *> a'ight?). Because when it comes to ISP security, there's a very *> limited pool of talent so candidates are unlikely to come in with the *> right skillset native. * *What is the right mindset for ISP security. It seems to be a little *different from the traditional security mindset found in the corporate *or military security world. A lot of sharp people with that background *try to move into ISP security, but they often have a difficult time *making the transition. Hmm. Incredibly biased opinion follows... A basic security mindset is a combination of paranoia, a talent for contingency planning, and an understanding of business need. However, the paranoia must not be so extensive as to be crippling, the contingency planning must not be so obsessive as to be paralysing, and the understanding of business need should not interfere with the periodic difficult and unpopular decisions that must be made to protect the greater good. Specific skill-sets that are useful for ISP Operational Security (pick one or mix-n-match for the overachieving): - Incident Response/handling capability - Deep understanding of TCP/IP - Deep understanding of the design of big WANs - Deep understanding of the design of switched LANs (hosting ISPs) - Unix adminstration and forensics - Microsoft administration and forensics - Firewall administration and forensics (NOTE that I'm not covering Engineering Security, at least not in this post.) I would say the most important skill for a dedicated ISP Security person to have is that of incident handling. Then again, it happens to be the one skill out of this set that I have, so extra bias hold the sauce. But hear me out... When a customer gets hit, it can be a break-in, a DoS attack, a DDoS attack, an insider betrayal, some accidentally free porn, a really dumb move by the marketing department, a political sit-in, bad press, an attempted break-in, a misconfiguration, a /. overload or something else entirely. Whatever it is, once the intial triage is done and the Security person is brought in, she's got to have a broad base of knowledge about the possibilities as well as knowledge of her own organization to know how to engage experts to assist. Plus she's got to document the whole thing and keep track of the contributions by the customer, by the experts, by management, etc. A really great security team has someone with each of those skills who can be brought into an event to help, each utilising her particular expertise. They've sat in with other teams so that they understand how the network works, how triage and trouble-shooting are done, how teams hand things off to one another, etc. And they have just enough cross-training to know when they should hand off to another security team-member. Best case scenario, most of the team has incident handling skills so that no particular handler is always getting paged. So the mindset is jack-of-all-trades rather than specifically focused on one task. The work is interrupt-driven rather than project or patch/upgrade driven. The mindset is to share information (judiciously) and bring people in, rather than keeping it a secret and doing it yourself. Those differences might explain the difficult transitions. *The government is about to spend a lot of *money training students in "cybersecurity." Congressional aides have *been coming to Internet conferences asking people what should Congress *spend money on. * *http://www.washingtonpost.com/wp-dyn/articles/A33471-2002Mar28.html * *But are the students really getting the right training for working in *a public network such as an ISP? If they're being taught about security in general, like policy and procedure writing and management, what we mean by access controls, how to handle disaster recovery, crypto basics, perimeter management, incident response, then that's fantastic. Even if they go to an ISP, they'll have the right skillset to start and they can learn the rest on the job. If they are ALSO being taught network design (LAN and WAN), firewall basics, the value of the heterogeneous network, how packets get put together and pulled apart, routing, end-to-end troubleshooting, DNS infrastructure, and maybe the specific configuration details for some of the top router vendors, then they are absolutely golden to go into ISP Security. But since I have no idea what they're learning, I can't comment on that specific article. There's some indication in the article that students are learning system hardening. That's usually a good skill. There's no indication that students are focusing on ISP skills or on ISP jobs. So, just out of curiousity, why are you asking this question? On the NSF's website, I found the Education & Human Resources (EHR) pages - www.ehr.nsf.gov. It includes the Division of Undergraduate Education (DUE) - www.ehr.nsf.gov/due/ - which includes the Federal Cyber Service: Scholarship for Service (SFS) page, which appears to be the program referenced in the article. http://www.ehr.nsf.gov/ehr/due/programs/sfs/ But it's hard to tell without digging through each of the awards that has been made what they're focusing on, although the general sense I get is that they're trying to increase the number of clueful IT Security personnel. So is your point idle speculation? Or that we should be designing curricula to increase the number of ISP Security folks? Or are we bemoaning the government's possibly misguided focus? Regards, Kelly J. -- Kelly J. Cooper - Security Engineer, CISSP GENUITY - Main # - 800-632-7638 3 Van de Graaff Drive - Fax - 781-262-2744 Burlington, MA 01803 - http://www.genuity.net

On Fri, 29 Mar 2002, Kelly J. Cooper wrote:
So, just out of curiousity, why are you asking this question?
Because a couple of congressional aides asked me what I would spend the money on. My first response was my brain didn't know how to spend that much money. But then you get in the swing of things, and its just a few extra zeroes between friends. The problem is the government has been spending varying amounts of money on computer security for decades, and should they keep giving money to the same programs they've always funded? Or is there something they haven't tried before that might have more impact. If I was king of the world, I have some opinions about cool stuff the government could do. But if there was something incredible obvious that I missed, write your elected representative. Who knows, they might actually listen.
participants (2)
Kelly J. Cooper
Sean Donelan